CVE-2014-3612
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.
Known Affected Software
18 configuration(s) from 1 vendor(s)
activemq
Version:
5.4.2
CPE:
cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*
activemq
Version:
5.3.0
CPE:
cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*
activemq
Version:
5.4.3
CPE:
cpe:2.3:a:apache:activemq:5.4.3:*:*:*:*:*:*:*
activemq
Version:
5.0.0
CPE:
cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*
activemq
Version:
5.3.2
CPE:
cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*
activemq
Version:
5.9.0
CPE:
cpe:2.3:a:apache:activemq:5.9.0:*:*:*:*:*:*:*
activemq
Version:
5.8.0
CPE:
cpe:2.3:a:apache:activemq:5.8.0:*:*:*:*:*:*:*
activemq
Version:
5.10.0
CPE:
cpe:2.3:a:apache:activemq:5.10.0:*:*:*:*:*:*:*
activemq
Version:
5.4.1
CPE:
cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*
activemq
Version:
5.2.0
CPE:
cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*
activemq
Version:
5.3.1
CPE:
cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*
activemq
Version:
5.7.0
CPE:
cpe:2.3:a:apache:activemq:5.7.0:*:*:*:*:*:*:*
activemq
Version:
5.9.1
CPE:
cpe:2.3:a:apache:activemq:5.9.1:*:*:*:*:*:*:*
activemq
Version:
5.1.0
CPE:
cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*
activemq
Version:
5.5.1
CPE:
cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*
activemq
Version:
5.5.0
CPE:
cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*
activemq
Version:
5.4.0
CPE:
cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*
activemq
Version:
5.6.0
CPE:
cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*
This vulnerability affects 18 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txtsecalert@redhat.com Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0137.htmlsecalert@redhat.com
-
http://rhn.redhat.com/errata/RHSA-2015-0138.htmlsecalert@redhat.com
-
http://seclists.org/oss-sec/2015/q1/427secalert@redhat.com
-
http://www.securityfocus.com/bid/72513secalert@redhat.com
-
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3Esecalert@redhat.com
-
http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txtaf854a3a-2127-422b-91ae-364da2661108 Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0137.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://rhn.redhat.com/errata/RHSA-2015-0138.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://seclists.org/oss-sec/2015/q1/427af854a3a-2127-422b-91ae-364da2661108
-
http://www.securityfocus.com/bid/72513af854a3a-2127-422b-91ae-364da2661108
-
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3Eaf854a3a-2127-422b-91ae-364da2661108
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-287
Top 25 #10
Improper Authentication
- Description
- When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
- Exploit Likelihood
- High
- Typical Severity
- High
- OWASP Top 10
- A07:2021-Identification/Auth Failures
- Abstraction Level
- Class
Key Information
- Published Date
- August 24, 2015
